Latest Microsoft patch does not plug all holes

Microsoft's effort last week to fix a vulnerability in the Internet Explorer (IE) web browser program and end the latest series of internet attacks does not address another closely related and dangerous vulnerability, according to a security specialist.

Dutch security expert Jelmer Kuperus published code on the web last week that he said can be used to break into fully patched Windows systems using a slightly modified version of an attack called Download.Ject which Microsoft patched last week.

The latest attack targets a hole in a different Windows component than the one addressed by Microsoft's software patch. Using a similar attack, malicious hackers could break into even patched Windows machines, Kuperus said.

Microsoft confirmed that the company is aware of the exploit code, but does not believe any customers have been attacked using the Shell.Application exploit, a spokeswoman said.

Last week, Microsoft introduced a security update for Internet Explorer 6.0 to end the threat of Download.Ject. The update disables a Windows component called ADODB.Stream, which was allegedly being used by a Russian criminal gang called the Hangup Team to install malicious code on computers.

By attacking a different Windows ActiveX component called Shell.Application, hackers can load malicious code onto machines. The attack relies on a vulnerability in Shell.Application discovered and disclosed in January by a security expert known by the online handle "http-equiv," Kuperus said. ( archives.neohapsis.com/archives/fulldisclosure/2004-01/0001.html.)

To prove his point, Kuperus posted a copy of attack code that targets the Shell.Application component on a website. Web surfers that use Windows XP with IE and visit the page are confronted with a screen that freezes Windows.

According to Kuperus this example is harmless, but the exploit could be used in the same way the group of Russian criminals exploited the ADODB.Stream vulnerability in a series of attacks in June.

Those attacks combined compromises unpatched Microsoft Internet Information Services (IIS) web servers with attacks using two vulnerabilities in Windows and the Internet Explorer web browser. Web surfers visiting compromised websites had malicious code secretly downloaded to run on their systems.

When run, the code redirected web browsers to websites controlled by the hackers, from which personal data was downloaded and a Trojan horse program captured keystrokes.

Kuperus joined the expert known as http-equiv to create computer code that demonstrated the Shell.Application vulnerability. After the attacks in June, the two anticipated the patch issued by Microsoft would not be comprehensive and began writing a new exploit before Microsoft actually plugged the ADODB.Stream vulnerability.

A few hours after Microsoft issued its update, Kuperus posted the new exploit on his site.

"We discovered that by simply switching components, the exploit is back in business," Kuperus said.

Microsoft acknowledged that the Shell.Application has similar capabilities to the ADODB.Stream component. However, it does not yet have configuration changes to address the vulnerability, as it did with ADODB.Stream, a spokeswoman said.

The software company is investigating the issue and is planning a series of updates to IE in the coming weeks that will provide additional security for its customers, she said.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.